FROM: Joe Michael, Chief Information Officer
SUBJECT: ZTNA and SASE Security Solutions
RECOMMENDATION:
title
Recommend that the Board approve an initial three-year contract for services with Palo Alto Networks for Zero Trust Network Access (ZTNA) and Secure Access Service Edge (SASE) services via a National Association of State Procurement Officials (NASPO) contract for a cost not to exceed $570,000; authorize the Chief Executive Officer to execute an agreement with Carahsoft Technology Corporation thru their local reseller Netsync Network Solutions in a form approved by Chief Counsel.
body
BACKGROUND:
SBCERA has identified Cloud services as reliable, scalable, and fault tolerant. Cloud services allow Staff the flexibility to provide services to our Members and Employers irrespective of physical location and allow continued access to our systems and services regardless of disruptive event. ZTNA & SASE add the necessary security layers to the Cloud services to ensure only authorized individuals and devices access our data, systems, and services regardless of where in the Cloud they may reside.
ZTNA provides secure access based on defined policies. Unlike traditional Virtual Private Networks (VPNs), which generally grant complete access to an organization’s internal network or Cloud environment, ZTNA defaults to deny, providing only the access to data, systems, and services the user has been explicitly granted.
ZTNA controls access by first requiring the user to be authenticated to the ZTNA service. The ZTNA service then grants access on the user’s behalf through a secure, encrypted tunnel. This provides an added layer of protection by shielding otherwise publicly visible IP addresses and connections. Additionally, systems connected to a ZTNA service are continuously having their trusted access and security posture verified, as well as all data inspected to mitigate data loss, fraud, and breach. In the event any fail said inspection, the user and/or device would immediately loose access the resource.
SASE enables organizations to support hybrid workforces and cloud distributed solutions by connecting them through cloud gateways instead of relying on the company’s on-premises environment. Software-based networking tools and applications that were once physical on-premises solutions, now analyze and route traffic for users across the internet. Malware inspection, regulatory compliance, data protection, URL filtering, advanced threat protection, intrusion prevention, and DNS security are all applied and adjustable in real time.
SBCERA’s current on-premises Datacenter has been hardened and configured to ensure staff is protecting members’ data and the organization’s systems in a secure and responsible manner. ZTNA & SASE is the next iteration of that security-minded approach as SBCERA evolves how it utilizes technology.
SBCERA’s choice in Palo Alto was derived from a nearly twelve-month project of requirements and information gathering. SBCERA began the project utilizing both Gartner’s Magic Quadrant and Forrester’s Wave (see Figure 1) for ZTNA and SASE solutions. To identify leaders in the core categories and began holding conversations with the top half-dozen that were found on both charts. Through multiple meetings and product demonstrations, staff narrowed the list to four competitors; staff ultimately obtained proposals from three of those competitors (Palo Alto, Zscaler, Fortinet), cutting the fourth solution due to a lack of key security controls.
Figure 1
Staff engaged with Forrester Research as an independent analyst, walking them through the entire process again, ending with the same three finalists SBCERA had previously chosen. The Forrester Research Analyst then provided additional documentation and their own review of each finalist with the pros, cons, and when the solution would be viable. Based on both the analysis from Forrester Research as well as staff’s review, Palo Alto Networks was the preferred choice for organizations wanting to provide the highest level of security currently available.
Palo Alto Networks is the current market leader in ZTNA and SASE solutions. During meetings and product reviews, Palo Alto has consistently demonstrated their understanding that each organization is different and the need to provide distinct, individual solutions. Their products and services illustrate this understanding by way of their sophistication and flexibility including:
• Providing both cloud and hybrid solutions
• Providing on-premises equipment to limit unnecessary complexity for offices
• Exceling at protecting hybrid workforces
• Agent and agentless deployment options for end users
• Ability to monitor end-points
• Ability to security connections between physical locations such as remote offices
• Long-term commitment to AI and Machine Learning to support security
• Providing their own Professional Services
Palo Alto requires a 3-year commitment with a minimum 200 license count. These numbers are indicative of their enterprise level solution and are common for other enterprise grade solutions of this level.
BUDGET IMPACT:
Costs for this item are included in the current year administrative and/or non-administrative budget.
STRATEGIC PLANNING GOAL/OBJECTIVE:
Operational Excellence & Efficiency
STAFF CONTACT:
Joe Michael
ATTACHMENTS:
Exhibit A: Netsync Proposal